You’ve seen the headlines. Computer hackers access personal, financial and medical data for millions of Anthem and Premera Blue Cross customers. Hard drives containing tens of thousands of individuals’ insurance information stolen while in route from the Indiana State Medical Association to an offsite storage facility. We are all familiar with data breaches caused by external hacks into company data storage systems and stolen equipment, but what about data breaches caused by internal bad actors? Beware of the rogue employee! A single employee impermissibly accessing protected information can lead to costly litigation under various laws, including the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the False Claims Act (“FCA”).
It can be extremely hard on a company’s bottom line and public perception when isolated data breaches lead to litigation and public scrutiny of the company’s policies and procedures for data protection. To avoid being on the receiving end of unwanted litigation and publicity, shrink the window of opportunity for your employees to act maliciously. You can employ several mechanisms to protect against these and other threats: 1) removing local administrative access so that only enterprise administrators can access sensitive data; and 2) deploying software that locks any unauthorized applications from being introduced to the system; and 3) requiring all administrative actions to be logged; and 4) implementing role-based access controls. Keep in mind that company data and IT administrators and related independent contractors (Edward Snowden, for example) have the most access to data and computer systems, and as a result, represent the most significant threat to data security. Be sure to apply additional scrutiny and strict controls related to these positions. In addition to these four defensive mechanisms, you can take an offensive stance by monitoring the normal activity on your system while keeping an eye out for unusual activity. This allows you to establish a baseline of network activity against which you can compare current activity to more quickly identify anomalies. This is the trend and will continue to gain traction.
Removing Local Administrator Access
This removes from local desktops the computer user’s ability to run administrative functions from an individual workstation. When local access is removed, individuals can run only approved applications and cannot bypass any security mechanisms that you may have put into place to audit and monitor actions.
Various software products can help companies prevent malicious software and unapproved applications from affecting their server environments. Software has been designed to restrict the programs that operators can use so that only approved applications will run on a server where the software is in effect.
Logging Administrative Actions
Companies can implement and monitor policies requiring all administrative actions to be logged. Such logs can prevent unauthorized access and use of the system. Not only are activities logged, but the system can be designed to provide alerts and report activities based on the types of use patterns monitored in the logs, allowing a company to investigate and follow-up on any unusual activity.
Role-Based Access Controls
Role-based access controls limit a system’s functionality based on the role of the person requesting the access. Not all users may conduct the same activities. These controls allow a user to attempt to access or use a system, but then, based on the information known about the individual, determine whether to allow the action to execute. If the individual requesting access or a certain type of action is not authorized, the action will not execute. Or, depending on the role of the individual making the request, the action may be elevated to a second-level review and sign-off prior to taking effect. These controls can review a complex set of data in making a determination on whether to allow an action to commence. For example, they can check a current employee roster or work scheduling system to verify whether an individual is employed or whether the person is on a vacation. To work effectively, role-based access controls require up-to-date and accurate input.
Developing a picture of normal activity within your system arms you to better detect outliers. Long-term system observation establishes an historical baseline for normal operations and activities. Once such a baseline is established, constant system monitoring makes it easy to spot anomalies and threats. Although establishing a baseline takes time, once in place, constant baseline comparison forces a deeper understanding of your company’s activities and allows you to take proactive measures quickly when you spot an abnormality.
Implementing one, or all of these mechanisms, will greatly reduce the ability of the rogue employee to compromise your company’s protected data and hurt your bottom line.